Questionable Coding Concepts - Episode 1. Variable Variables

Mar 17, 2019

In this first of a new series of articles on the dodgiest of dodgy programming language features, we discover ‘variable variables’, and a slew of fun and exciting security vulnerabilities which you can introduce to your code if you choose to use them!

”..your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should.”  1

Flexibility might be a great thing in a language, but you sometimes have to wonder precisely what particular problem a feature was designed to solve, and quite what the authors of said feature were thinking when they introduced it.

This is certainly true in the case of Variable Variables, a particularly fun and exciting  2 feature of PHP. Observe:

  $field = 'username';
  $username = 'chas';
  $$field = 'dave';
  echo $field;
  echo $username;

What’s the output from this code?

If you eventually answered “username and dave”, you’d be right. Have you already noticed how cryptic the code can become when you’re using this stuff? Variable variables allow us to use variables to assign values to other arbitrarily created or selected variables. This is an immensely powerful ability, and as we all know, with great power comes great responsibility  3. Unfortunately, PHP developers don’t have the greatest reputation for responsibility, especially ones who stitch together their code from stuff posted on StackOverflow  4.

Why would you do that?

PHP has a rich and colourful history, and its naissance as a system for building websites in the wild-west years of the internet have left their mark on the language. Consider this example, and imagine that we’re handling a variety of different user forms with hundreds of entries:

  $params = explode('&', $_SERVER['QUERY_STRING']);
  foreach ($params as $param) {
      list($key, $value) = explode('=', $param);
      $$key = $value;
  }

Gosh, one small loop! The flexibility! With a tiny bit of code, we can import values from any form, and avoid all that tedious repetition of assignments from specific form fields to specific variables. I’m sure you’re all starting to groan, mentally if not physically, but let’s just spell out the issues here by adding some context to what we just looked at:

  $admin = False;
  ...
  $params = explode('&', $_SERVER['QUERY_STRING']);
  foreach ($params as $param) {
      list($key, $value) = explode('=', $param);
      $$key = $value;
  }
  if ($admin == False)....

I’m sure you can imagine the fun to be had altering query strings to give yourself access to arbitrary variables on the server. There are plenty of examples online of interesting uses to which people have put these. Here’s an example paraphrased from one of them:

  $employees = array('Andy','Bob','Chris');
  $employee_andy = 'Andy the Admin';
  $employee_bob = 'Bob the Builder';
  $employee_chris = 'Chris the Cleaner';

  foreach ($employees as $e) {
    echo "$e\`s role is ${'employee_' . strtolower($e)}. <br />";
  }

Yes, an employee database is clearly the right place to be using variable variables.

Dollar signs all the way down

So sure, we have $$a, and that works, but the madness doesn’t end there. Check this one out:

<?php
$a = "name";
$$a = "that";
$that = "hello";
$$$a = "What?!?";

echo $that;
?>

…which naturally outputs “What?!?”. At this point, I have no idea how many levels of indirection PHP can handle. Perhaps it’ll go as deep as the stack; who knows? I suppose we ought to praise PHP for having a parsimonious interpreter.

Other languages

Now this isn’t a scourge which is peculiar to PHP. Take a look at the entry for Dynamic Variable Names at Rosetta Code. It has to be admitted that most of these are hacks and of course the lower-level you go, the more you’re able to do just about anything, but PHP stands out (alongside a few versions of BASIC) for making this a de facto feature of the language. There are instances where using them makes sense, but almost universally, they seem to be a stand-in for a lack of properly structured code and data handling.

Honorable Mention - Variable Function Calls

As it happens, I’ve been writing a bit of COBOL lately, and while you might not be able to set dynamic variable names in COBOL (it’s a pretty solid language in that regard), you can use variables to call arbitrary functions (well, subprograms - COBOL doesn’t have functions). Again, it’s fairly unlikely that you’ll be using COBOL to parse webforms, unless you happen to be using it to write an API.

Are you aware of this being particularly prominent in any other languages? Or got another questionable feature that you thing I should be featuring? Comment below.

Notes

  1. Quote from Dr. Ian Malcolm, Jurassic Park.

  2. In our exploration of questionable coding concepts, we will frequently come across features of languages whose applications can result in fun and exciting results.

  3. As you’ll know from studying your Spiderman, who was quite clearly plagiarised by William Lamb.

  4. We’ve all done it.